Officials of the Pennsylvania Department of Health, the Allegheny County Health Department and Children's Hospital of Pittsburgh all refused to reveal the names of two pre-schoolers and their 33-year-old father who had been diagnosed with measles.

They even refused to name the Westmoreland County municipality where the family lives.

Earlier last month, when a West Virginia University freshman died of suspected meningococcal meningitis, the university, its health system and the local coroner refused to release her name until her parents gave permission.

In both cases, officials said provisions of the Health Insurance Portability and Accountability Act of 1996 prohibited them from releasing information. The act, generally known as HIPAA, required new safeguards to protect the security and confidentiality of health information.

The reluctance of health officials to release information likely is a result of the penalties the act carries -- fines of up to $250,000 and a prison term of up to 10 years -- for violations.

In the measles case, health officials said their investigations would reveal who had contact with the family, so those people could be treated, negating the need for public disclosure of their names.

But critics of HIPAA contend that in cases involving meningitis, measles or any other communicable disease, it is possible that not all of those at risk will know it. The need for privacy, HIPAA critics say, is trumped by a public health threat, and releasing names and other information is necessary so everyone at risk is alerted.

HIPAA includes a provision that, in limited circumstances, permits -- but does not require -- health officials to reveal information "for specific public responsibilities," such as public health.

"Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles," according to the U.S. Department of Health and Human Services.

Richard A. Epstein, the James Parker Hall Distinguished Service Professor of Law at the University of Chicago, said HIPAA prevents the dissemination of vital information to those who need it because health-care providers are confused about what is permitted and fearful of making a mistake for which they would be liable.

"HIPAA is a terrible statute, a most over-reactive statute, completely over the top," said Mr. Epstein, who has written on a variety of legal topics.

"That statute is comprehensive overkill. It substitutes very costly regulations in exchange for common sense. I can't think of anybody who is serious about these issues who regards the statute as anything but dysfunctional. It is a completely moronic statute."

In the meningitis case, he said, "[WVU] took exactly the posture I would expect from somebody trying to essentially keep itself from being liable."

He said it is a tough call but because meningitis is contagious, the student's name should have been immediately made public to protect those whom the university didn't know she had been exposed to. He wasn't so measured in reacting to the measles case.

"That's crazy with three people with measles, which is highly contagious. This institutes widespread panic.

"They have the balance all wrong. When the issue is public health [or privacy], public health should always come out on top."

But Dr. Arthur Caplan, chairman of medical ethics at the University of Pennsylvania, said in his view, it isn't wrong to delay release of the patients' names as public health officials try to track their movements to see how many people they came in contact with.

"I'd probably say that as long as public health officials are being zealous in their intention in locating people who may have come in contact, you don't need to give out names yet. As long as you're trying to track down people with exposure, you probably stay quiet for now about who it is," said Dr. Caplan.

But he added that if investigators learn that the source of the measles isn't the Children's Hospital emergency room, as the state health department believes, or that those infected had extensive exposure to the public, such as riding public transportation, then the names should be released "to alert people to watch for symptoms."

As for the exposure at WVU, he said, "They can protect privacy better if they know where the student went. The name has to be made public if they're not sure they can trace who was exposed to the student.

"In other words, if she went to parties and wandered around the campus a lot, that's a problem. If they know she was sick and stayed in her room and wasn't exposed to too many people, they can protect her name.

"There is a delicate balance but privacy yields when there really is a threat to others, and when preventive measures need to be taken, it makes it even stronger."